Skip Menu |
 

Date: Thu, 26 Aug 2010 09:37:57 -0500
From: Mike Roszkowski <roszkowski@wisc.edu>
Subject: has_mandatory_for_kdc_authdata checks only first authdata element
To: krb5-bugs@mit.edu

Show quoted text
>Submitter-Id: net
>Originator: Mike Roszkowski
>Organization: University of Wisconsin-Madison

Show quoted text
>Confidential: no
>Synopsis: has_mandatory_for_kdc_authdata checks only first authdata element
>Severity: non-critical
>Priority: low
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.8.2
>Environment:

System: Linux sugar.doit.wisc.edu 2.6.18-194.3.1.el5 #1 SMP Sun May 2 04:17:42 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:

I was trying to debug a kdc crash and was looking at kdc_authdata.c and found
what looks to be a typo in has_mandatory_for_kdc_authdata:

1 if (authdata != NULL) {
2 for (i = 0; authdata[i] != NULL; i++) {
3 if (authdata[0]->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC) {
4 ret = TRUE;
5 break;
6 }
7 }
8 }


In the line marked "3" above, only authdata[0] is being checked. I think the
intention was to check all the authdata elements, so it should be
authdata[i].

Show quoted text
>How-To-Repeat:

Show quoted text
>Fix:

From: ghudson@mit.edu
Subject: SVN Commit

Properly search for MANDATORY-FOR-KDC authdata elements. Reported by
Mike Roszkowski.


https://github.com/krb5/krb5/commit/e1365586bae0591541b72ca8a223fa73a57aa2bd
Commit By: ghudson
Revision: 24286
Changed Files:
U trunk/src/kdc/kdc_authdata.c
Date: Thu, 2 Sep 2010 08:37:28 -0700 (PDT)
From: glenn.barry@oracle.com
To: rt-comment@krbdev.mit.edu
Subject: Auto Reply: [krbdev.mit.edu #6764] SVN Commit
RT-Send-Cc:
I'll be out of the office from Sep 2 - 10. Pls contact Anup.Sekhar@oracle.com if it can't wait till I get back.
A brief security analysis:

For application servers, authdata elements are supposed to be mandatory
by default, meaning the server should reject the request if it doesn't
understand the authdata. For KDCs, authdata elements are only mandatory
if they are embedded in a MANDATORY-FOR-KDC container.

Because of this bug, the KDC might not properly reject a request which
contains a MANDATORY-FOR-KDC container. This is no worse than the
behavior in 1.7 and prior, so this does not constitute a serious security
issue. I'm not aware of any defined authdata types which make use of
MANDATORY-FOR-KDC.
Date: Thu, 2 Sep 2010 08:38:36 -0700 (PDT)
From: glenn.barry@oracle.com
To: rt-comment@krbdev.mit.edu
Subject: Auto Reply: Auto Reply: [krbdev.mit.edu #6764] SVN Commit
RT-Send-Cc:
I'll be out of the office from Sep 2 - 10. Pls contact Anup.Sekhar@oracle.com if it can't wait till I get back.
From: tlyu@mit.edu
Subject: SVN Commit

pull up r24286 from trunk

------------------------------------------------------------------------
r24286 | ghudson | 2010-09-02 11:35:25 -0400 (Thu, 02 Sep 2010) | 7 lines

ticket: 6764
tags: pullup
target_version: 1.8.4

Properly search for MANDATORY-FOR-KDC authdata elements. Reported by
Mike Roszkowski.

https://github.com/krb5/krb5/commit/d4da5fa8b83164300b97d0d3b1a859c76335c65a
Commit By: tlyu
Revision: 24459
Changed Files:
U branches/krb5-1-8/src/kdc/kdc_authdata.c